X-Frame-Options header on error response

ⅰ亾dé卋堺 提交于 2019-12-12 06:07:24

问题


I found an interesting bug report related to X-Frame-Options header. But I dont understand how this can be security problem.

Following code is given as proof of vulnerability:

require 'net/http'  
require 'uri'  
uri = URI.parse("https://play.google.com/#{"a" * 10000}")  
@r = Net::HTTP.get_response uri  
ret = @r.each_header {|x| puts x}  
if ret["x-frame-options"]  
  puts ret["x-frame-options"]  
else  
  puts "Missing x-frame-options!"  
end 

But it is trying to access an invalid URL (https://play.google.com/aaaaaaaaa...) and returns an error page. In the response, x-frame-options header is missing. I don't understand how this can be a security vulnerability (since it is a invalid page and its a error response)? How this can be used for clickjacking? Why is it important for the error response also should have this header set?


回答1:


You can add following line to .htaccess

Header always unset X-Frame-Options


来源:https://stackoverflow.com/questions/28515795/x-frame-options-header-on-error-response

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!